PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PLEASE HELP.. same config but not working! from PA 3050 to PA 3220

L2 Linker

Dear experts,

 

I am moving from PA3050 to PA3220. I did export the current configurations from the old PA3050 and imported to the new PA3220, i committed successfully, but when i migrate cables from old device to the new one i get random issue! like some zones are not reachable, like i have ping to internet and telnet and traceroute but i can't browse!, like i can't ping some destinations. WEIRD! its the SAME configuration and OS versions are the same on both devices plus, i did download and install latest content version on both devices before moving the exporting the config file.xml.

 

NOTE: when i move to old PA3050 all work properly!

 

One more thing, we have A10 (SSL Interception) connected to PA from external side and StormShield (AS core firewall).

 

 

REALLY WOULD APPRECIATE YOUR HELP. 

24 REPLIES 24

1) i am using ports 1-12
2) I didnt compare through config audit i will do so
3)i see resets, but all actions are allowed..

@rmfalconer what is the setting exact name of the asymetric routing ? below is my session settings

 

Session setup
TCP - reject non-SYN first packet: False
Hardware session offloading: True
Hardware UDP session offloading: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
ICMP Unreachable Packet Rate: 200 pps

@BPry I checked configuration syntax its exactly the same.. :S any other suggestions ? 

The setting that shows that asymmetry is permitted is "TCP - reject non-SYN first packet: False"

Is this on both firewalls?

 

Are you absolutely sure that this is a setting you want enabled? It's definitely not best practice to enable. Do you know why you have flows bypassing the firewall?

For sure no i don't keep such setting, but i did that for testing purpose it was "True" i put it "False" to check if issue will get resolved but it didn't. Is it possible that A10 device makes such issue? maybe its SFPs are not compatible with the new PA ethernet ports? 

 

 

 

 

So both old and new firewall are set to True?

 

I think you said you're using the copper interfaces on the PA? Do they connect directly to the A10? SFPs on another device shouldn't matter for the connection to the PA.

If you havent figured this inbox me and I can help you. 

Yes on both devices its True. 

 

Palo Alto Copper interfaces are connecting to the A10 device (using SFPs Fiber to Copper).

Yes, please i would appreciate if you can help with this.. but i didn't know how to inbox your from here -_-

L2 Linker

Dears,

 

This is to inform that this issue has been finally solved ! there was a static ARP on the core firewall interface. We put dynamic and ll worked properly. 

 

 

Thank you all.

 

 

  • 12066 Views
  • 24 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!